The US CERT is warning of a critical vulnerability in PHP which has been disclosed, by mistake, to the public while the developers are still working on a fix. The vulnerability affect servers that are running PHP in CGI mode; FastCGI for PHP installations are not affected.

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

I took a closer look at the bug report and found that it's not PHP that is vulnerable, but PHP in combination with the webserver (Apache?) used by the bug reporter. When using Hiawatha, you are not vulnerable. Hiawatha does not (of course!!!) add URL parameters to the command line when executing PHP in CGI mode.

__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.